Digital privacy is an evolving, hot topic in the world right now. With the rise of ecommerce, digital marketing, online offers, and smart devices, it’s extremely difficult not to have your personal information – whether that be transactional information or information that defines you – out there. But what if we thought about it from the standpoint of your business? How can you make sure your organization is protecting individuals’ data and using best privacy practices? Let’s delve in to how you can create a privacy initiative roadmap for your organization.
Step 1: Commit to it
Among the important principles are practicing transparency with individuals about how you’ll be using their data and having the ability to give them information if they ask for it. Another important principle that all organizations should follow is the accountability principle, meaning that your organization’s data controller should be kept accountable for complying with the privacy principle and measures that support it.
Step 2: Create a Privacy Threshold Assessment
Take inventory of everything that involves your data. Privacy Threshold Assessments (PTAs) are a great tool meant to help organizations create and assess privacy documentation requirements of business activities, such as procedures around storing personal information and email marketing.
To create a PTA, you should first figure out what data you’re currently collecting, such as credit card information, birth date, phone number, gender, habitual patterns, survey answers, and data being collected from your app (i.e. location services). The list is long and those are just a few examples of data that is easy to forget you’re collecting.
Next, analyze why you’re collecting it and how it’s being used. Is the information you collect being sold or disclosed to any third-party vendors you’re working with, and does the data source know about it? Has the individual given consent to receive promotional emails from your organization? If the information is no longer relevant or you know it will never be used, simply get rid of it. You also must think about regulations and policies that pertain to the data you’re collecting and what it’s being used for.
Creating a PTA is all about digging deep into all the information your organization may be collecting on an individual – which is easier said than done, and most likely will take a lot of research depending on the depth and breadth of your organizations’ offerings, promotions, or nature of the business (like a municipality or hospital).
Step 3: Put protection mechanisms into place
Once you’ve developed a PTA, you must put the appropriate protection mechanisms into place to keep your data safe. This is where having a strong cybersecurity program comes in, and includes things like:
- Automated hardware and software tools like firewall and antivirus;
- Intrusion detection and intrusion prevention mechanisms;
- Having a reliable threat detection service such as Tyler Detect;
- Training employees on Social Engineering tactics;
- Creating a cybersecurity culture in the organization by training people, creating processes around security and privacy, and applying those processes to the technology;
- Keeping your data confidential and only available to those who need to see it; and
- Assuring the integrity of your data and making sure it’s never manipulated or forged.
Having multiple layers of protection and defense mechanisms is crucial not only to developing a strong cybersecurity program, but it’s essential in protecting the sensitive customer and prospect data you collect daily. Start by implementing a few of the tools and trainings listed above.
Step 4: Comply with your policies and applicable laws and regulations
When creating a privacy roadmap initiative, you must think globally even if your customers and prospects are mostly from the United States. Laws like GDPR and CCPA exist for certain geographical areas, and chances are good you have collected some data from individuals residing in those areas, even if you may not be aware of it. Ensuring that you are being compliant with these laws will help you not only have a great privacy practice, but it will get you prepared for laws that are likely going to start cropping up in an area where you do, in fact, do business.
Sector regulations may also affect how you treat privacy. In the financial industry it’s the Gramm Leach Bliley Act (GLBA) and in the world of healthcare it’s the Health Insurance Portability and Accountability Act (HIPPA). While you must comply with those, they don’t account for the full privacy plan because they only cover transactional and discrete data sets, and you are probably collecting more data than those regulations protect.